powershell_events

Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.

Table schema

Name Type Description
time BIGINT Timestamp the event was received by the osquery event publisher
datetime TEXT System time at which the Powershell script event occurred
script_block_id TEXT The unique GUID of the powershell script to which this block belongs
script_block_count INTEGER The total number of script blocks for this script
script_text TEXT The text content of the Powershell script
script_name TEXT The name of the Powershell script
script_path TEXT The path for the Powershell script
cosine_similarity DOUBLE How similar the Powershell script is to a provided ‘normal’ character frequency

Query examples

select * from powershell_events;
select * from powershell_events where script_text like '%Invoke-Mimikatz%';
select * from powershell_events where cosine_similarity < 0.25;